A CA cert seems to be tied to my SSL VPN configuration that when a user connects it checks for this cert on their machine, how can I remove this validation since we are moving to MFA with DUO, I have machines that do not have certs that fail because the ASA is looking for certs.
Check the Authentication method for your AnyConnect connection profile (known as tunnel-group in the cli configuration).
If you're using ASDM it's under Configuration > Remote Access VPN > AnyConnect Connection Profile > Edit.
A much less common possibility is a DAP check. See if there's a dap.xml file on the ASA. That would be under the Host Scan section of Secure Desktop Manager section of the Remote Access VPN configuration.